Embodiments of the present invention relate generally to methods and systems for database security and more particularly to maintaining and detecting tampering with audit records for a database.
Applications utilizing or monitoring a database or other data store can create audit records to keep a trail of changes performed by that or other applications. For example, an application performing a database operation or monitoring operations performed by other applications can create an audit record including information such as the operation performed, the target records, tables, etc., the party or parties performing the operations, the time at which the operation was performed, etc. These audit records can be saved to create an audit trail that can later be used in forensic investigations of the system.
Ideally, such an audit trail can be infinitely long and completely tamper-proof. Unfortunately, this is not possible. First of all, infinite storage is not available and even very large storage becomes impractical at some point. Furthermore, it is not possible to tamper proof the audit records against all possible attacks. For example, even if the audit records are stored directly to a Write Once Read many (WORM) device which is stored in a secured location, an attacker who has full control of the system can tamper with the records directly at the source, for example by modifying the application. Hence, there is a need in the art for improved methods and systems for efficiently and securely storing audit records and for detecting tampering with such records when it occurs.